Threat Intelligence

How China’s JDY Is Quietly Mapping the U.S. Military 

How China’s JDY Is Quietly Mapping the U.S. Military 
06.26.26
Security Threat Intelligence
By: Christopher Clark, Cybersecurity Incident Responder and Threat Hunter

In the high-stakes theater of modern cybersecurity, we are conditioned to watch for the loud attacks” the explosive ransomware strikes that paralyze hospitals or the massive data breaches that dominate news cycles. Yet while we fixate on the front door, a quiet, near-invisible digital surveillance vanguard is systematically mapping the back hallways of our most sensitive defenses. This is the irony of the current threat landscape; the greatest danger isn’t necessarily the one that destroys our data today, but the one that understands our infrastructure perfectly for tomorrow. 

In early 2024, the U.S. government moved to dismantle the KV-botnet ecosystem, a significant blow that analysts believed would neutralize a major Chinese espionage conduit. But the JDY cluster, a specific component of that network, refused to follow the script. Instead of withering away, JDY has undergone a radical, sophisticated resurgence. Emerging from the ashes of its predecessor, it has evolved into a high-performance ghost network. It no longer exists merely for data exfiltration; it has been rebuilt as an industrialized reconnaissance engine, acting as a dedicated scouting force for Chinese nation-state actors. 

Why Takedowns Aren’t Always Final 

The survival of the JDY botnet serves as a sobering reminder that infrastructure disruption is often temporary when backed by state-level persistence. While the KV cluster, primarily used for covert data transfer, was neutralized by law enforcement, the JDY cluster was preserved as a durable capability. The operators didn’t just rebuild; they scaled up. 

  • January 2024: Following the public disclosure and disruption, the botnet hit a low point of approximately 650 active nodes. 
  • Mid-2026: The network has surged to over 1,500 infected devices, effectively doubling its footprint in just over two years. 

This zombie resurgence highlights a strategic shift. By decoupling the reconnaissance cluster from the primary exploitation network, the threat actors ensured that even if their loud assets were seized, their weaponized telemetry gathering would continue unabated. 

The Telemetry of War 

Unlike the crude botnets of the past used for Distributed Denial-of-Service (DDoS) attacks, JDY is a precision instrument of industrialized reconnaissance. Its operators utilize the Platypus framework, an open-source reverse-shell tool, and Termite agents to manage a layered architecture of infected hosts. 

This isn’t just automated scanning; it is forensic ghosting. The malware performs deep-tissue fingerprinting across various protocols, often utilizing a specific ICMP packet identifier (19037) and sequence number (35765) to probe targets before committing to a deeper scan. This allows the adversary to build a searchable database of every exposed service on a target network. 

As noted by researchers at Black Lotus Labs, “JDY’s focus on U.S. military networks is particularly concerning, as it suggests a strategic effort to map infrastructure susceptible to future attacks.” 

Racing the Patch Cycle 

The JDY botnet functions as a vulnerability-targeting pipeline designed to exploit the lag between disclosure and remediation. Its speed is intended to pre-position access before a security team can even finish reading a vendor’s advisory. 

A stark example occurred during the disclosure of a critical Fortinet vulnerability (CVE-2026-35616). JDY nodes began scanning for this specific flaw just hours after its public release. This isn’t merely about technical speed; it is about strategic intent. By identifying vulnerable edge devices in real-time, the botnet enables actors like Volt Typhoon to gain footholds that can be leveraged to study and eventually manipulate physical industrial processes and critical infrastructure. 

The Geography of Deception 

JDY maintains its persistence by inhabiting the blind spots of modern security. It targets small office/home office (SOHO) and IoT devices using MIPS and MIPSEL architectures. These legacy edge systems are notoriously difficult to monitor because they lack the resource capacity to run traditional endpoint detection and response (EDR) tools. 

Top targeted manufacturers: 

  • Cisco (specifically RV320 and RV325 models) 
  • Ubiquiti and Mikrotik 
  • Hikvision and Araknis 
  • Linksys and Mimosa Networks 

By concentrating its presence in the United States and Brazil, the botnet achieves geographic deception. Malicious traffic is obfuscated by blending in with legitimate residential IP addresses, allowing operators to bypass geofencing and reputation-based controls. To a defender, the scan doesn’t look like a Beijing data center; it looks like a neighbor’s compromised router. 

The Raw Socket Advantage 

The sophistication of JDY is most evident in its adaptive scanning engine, a hallmark of advanced persistent threat (APT) tradecraft. The malware modifies its probing logic based on the level of privilege it manages to seize on a compromised host: 

  • Root/Administrative Access: If the malware gains root, it utilizes raw SYN scanning. By crafting custom TCP packets with a fixed source port of 19000, it can probe thousands of targets in batches without completing the TCP handshake. This avoids application-level logging and provides maximum stealth. 
  • Limited Access: When restricted to standard permissions, the malware falls back to banner grabbing and TLS certificate collection via standard connections. 

This technical flexibility ensures that the flow of intelligence never stops. Whether it is performing a high-speed silent scan or a metadata-rich deep scan, JDY remains focused on its singular goal: building a blueprint of the adversary’s network. 

The Reality of the Staged Attack 

The evolution of the JDY botnet forces us to confront a grim reality: we are living through the staging phase of a future conflict. Large swaths of our infrastructure, particularly the operational technology (OT) that powers our energy and defence sectors, are being mapped and fingerprinted right now. 

We must move past the comforting illusion of the secure perimeter. Current research from Dragos suggests a terrifying visibility gap: fewer than one in 10 OT networks have any monitoring in place to detect this kind of mapping activity. We are effectively living in a glass house where the adversary is not only looking through the windows but taking precise measurements of the foundations. 

As we watch JDY grow, we have to ask ourselves: when the adversary has already completed their reconnaissance and knows every vulnerability in our home routers and military gateways, is our traditional defence-in-depth even relevant, or are we just waiting for the lights to go out?